- Products
- SOA Governance
- API Management
- Cloud Integration
- Other Platforms
- Features & Benefits
- Solutions
- SOA
- API
- Cloud
- Government Solutions
- Other
- Case Studies
- Latest SOA Case Studies
- Latest API Case Studies
- Latest Cloud Case Studies
- More Case Studies
- US Intelligence Community – Secure Data Sharing
- Ogilvy & Mather – Web Services Security
- Quebec Finance Ministry – CGI Solution
- Belgium French Community (ETNIC) – Secure eGovernment Services
- British Columbia Attorney General - XML & Web Services Security
- US Army Accessions Command - Managing the Service Lifecycle
- Tutorials
- API Management
- Development
- Identity Access
- OAuth
- SecureSpan Basics
- Video Tutorials
- Library
- Free Trial
- cloudsecurityalliance
Follow Us:
Entitlements Management
SOA Entitlements
The Problem: Managing Fine Grained Entitlements in SOA
In recent years, there has been a push among large organizations to centralize the administration of user identities and their associated access privileges to corporate resources. A key driver for identity and access centralization is security compliance.
By regulating and tracking what resources a user accesses, Identity and Access Management products give corporations assurance that users are both authentic and restricted to those resources to which they are entitled. However, the problem of centrally controlling and auditing an identity’s access to an application resource is not limited to user-machine interactions.
SOA is predicated on the ability of a machine based client application calling a machine based Web service through a programmatic interface. That means a client applications will need to present a Web service a credential proving its identity in a format the service can both understand and verify - without a human intermediary to help the process along. Moreover the operator of the Web service will want to make decisions around access entitlements, single sign-on and downstream authentication based on the credentials a client application presents it. Doing this in an automated, scalable and declarative way requires a different approach then the Web.
Solution: Policy Based Entitlements
Identity and access management products for the Web are available from several vendors including IBM, Oracle, CA, Sun, Microsoft, Novell and RSA among others. However exetnding these directories and access products to support machine-to-machine SOA interactions requires a specialized - identity aware - intermediary that can sit between client applications and the services they enforce access for. Operators of Web services need an ability to control what client applications can authenticate to their services, what information or functionality those client applications are authorized to access and then track the resulting interactions for compliance purposes. Using an intermediary provides a mechanism to interpose a control point between client applications and services without altering code on either the client or service. It also provides a centralized point for transposing credentials, enforcing entitlements and integration with existing Policy Decision Points. Doing this in a declarative, policy driven way ensures that these controls can be implemented consistently. Enforcing these decisions in an intermediary also simplifies deployment architecture.
Layer 7 Value: Policy-based Entitlements Enforcement
The SecureSpan XML Firewall provides security managers a simple to configure, scalable policy based solution for managing entitlements across distributed and even federated services. The SecureSpan XML Firewall ships with adapters for all leading directory and SSO products so customers can reuse existing identity stores for SOA based authentication decisions. Fine grained authorization decisions can then be layered onto the SOA through graphical WS-Policy and XACML compliant policies defined in SecureSpan Policy Manager so that entitlements can be enforced down to an operation or method level. Using the same policy language redentials can be translated for downstream consumption through the embedded STS (or via WS-Trust / WS-Federation call outs to an external token service).
For deployments requiring federation of Web services, the SecureSpan XML VPN Client can be deployed alongside the SecureSpan XML Firewall. When installed in an external identity domain, the SecureSpan XML VPN Client can negotiate a security token with a local STS, bundle the token in a WS* and WS-I compliant message and pass the message to the SecureSpan XML Firewall for processing and authentication thus simplifying entitlements across federated SOA's.